California Attorney General Reports Data Breaches Up 600% in 2013

31 Oct 2014

Attorney General Kamala Harris released her second annual California Data Breach Report on October 28, which revealed hacking penetration is up 600% since 2012. This year, the Attorney General issued 12 recommendations to companies in various industries, and to the legislature regarding ways to improve data security practices to improve California consumer protection.

The California Legislature has required (S.B. 24) that, beginning in 2012, all online businesses and government organizations submit copies of their breach notifications to the State Attorney General for all cases where a data breach affected more than 500 California residents. The Attorney General is then required to analyze the hacking incidents, publish statistic and make recommendations each year.

The 2013 report states thatthe Attorney General’s office received 167 data breach notifications in 2013, a 28% increase over the prior year. The reported data breaches involved 18.5 million records of California residents. Two large breaches of Target and LivingSocial each exposed about 7.5 million Californians’ personal data.

But separating out the two mega-hacks of retailers, “the number of records affected would have been 3.5 million, a 35 percent increase over 2012.” The average number of affected records in a breach would have been only about 2,600 in each hack. The report noted on average that the types of data breaches and the data breaches by industry have remained “fairly consistent” over the past two years.

Data breaches in 2013 were classified into four categories: (1) malware and hacking, (2) physical theft and loss, (3) errors, and (4) misuse. More than half of all computer penetrations in 2013 were caused by hacks classified as malware and hacking. Physical theft and loss accounted for about a quarter; unintentional errors accounted for 18 percent of breaches; and misuse by insiders accounted for the balance.

Almost half of all breaches in 2013 involved Social Security numbers, making it “the most frequently compromised data type.” According to the report, the average financial loss “to a consumer who falls victim to the fraudulent use of a credit card account is $63, debit card $170, checking account $222 and Social Security number $289.”

A quarter of the number of breaches was from retail and involved 15.4 million records, or 84% of the 2013 total. Healthcare also involved a similar number of breaches, but just 1.1 million records were involved.

The Attorney General made twelve recommendations for upgrading systems to improve resistance to data exposure. The annual report seems to be an excellent example of non-partisan good government. The fact that a behemoth like Target with huge resources did not know that 70 million of its customers’ data had been vacuumed up for months by an organized crime ring is frightening to most consumers. Having California businesses and the Attorney General cooperating to improve consumer records security should be bad news for the growing number of digitally sophisticated criminal cartels.